DoD 8570 Certification Guide: IAT, IAM, IASAE & CSSP Role Requirements

The Department of Defense (DoD) relies on a highly skilled, fully qualified cyber workforce to secure its networks, defend critical missions, and protect national security interests. DoD Directive 8570 established the original framework for Information Assurance (IA) training, certification, and workforce management requirements that continue to guide cyber personnel across the DoD enterprise even as responsibilities transition under DoD 8140.

This guide provides a comprehensive, official-style overview of the DoD 8570 baseline certification requirements for the four major cyber workforce categories: Information Assurance Technical (IAT), Information Assurance Management (IAM), Information Assurance System Architecture & Engineering (IASAE), and Cybersecurity Service Provider (CSSP). It is intended as a reference for contractors, DoD civilians, military personnel, and organizational leaders responsible for maintaining workforce compliance.

1. Background: Purpose of DoD 8570

DoD Directive 8570.01-M was introduced to ensure that all IA and cybersecurity personnel possess the knowledge, skills, and industry-recognized certifications necessary to protect DoD information systems. Under 8570, the Department established:

• A unified baseline certification matrix
• Standardized workforce categories and levels
• A requirement that personnel obtain and maintain approved certifications
• A mandate for contractor alignment and compliance
• A common qualification structure across DoD components

Though 8570 is being phased into the updated 8140 ecosystem, its classification system IAT, IAM, IASAE, CSSP remains the foundation for DoD personnel assignment and certification validation.

2. DoD 8570 Workforce Categories

The 8570 standard organizes cyber workforce personnel into four primary categories, each aligned with specific duties and responsibilities.

The categories include:

• Information Assurance Technical (IAT)
• Information Assurance Management (IAM)
• Information Assurance System Architecture and Engineering (IASAE)
• Cybersecurity Service Provider (CSSP)

Each category is further broken into levels based on complexity and responsibility.

3. Information Assurance Technical (IAT)

IAT personnel perform hands-on technical cybersecurity and information assurance functions. Their responsibilities include:

• Implementing and maintaining security controls
• Configuring and managing DoD information systems
• Supporting network defense operations
• Managing system and network vulnerabilities

IAT personnel must demonstrate technical proficiency aligned with their assigned level.

IAT Level I

Typical Roles

• Help Desk Technician
• Junior System Administrator
• Network Support Technician

Primary Responsibilities

• Basic device configuration
• Routine system maintenance
• Initial security control implementation

Approved Baseline Certifications

• CompTIA A+
• CompTIA Network+
• CCNA (Cisco Certified Network Associate)

IAT Level II

Typical Roles

• System Administrator
• Network Administrator
• Mid-level Cybersecurity Analyst

Primary Responsibilities

• Enforcement of DoD security policies
• System security configuration
• Incident detection and reporting

Approved Baseline Certifications

• CompTIA Security+
• CompTIA CySA+
• GICSP
• CCNA Security

IAT Level III

Typical Roles

• Senior System Administrator
• Senior Cybersecurity Engineer
• Network Security Engineer

Primary Responsibilities

• Advanced system defense operations
• Security architecture implementation
• Integration of enterprise security controls

Approved Baseline Certifications

• CASP+ (CompTIA Advanced Security Practitioner)
• CISSP (Certified Information Systems Security Professional)
• GCED (GIAC Certified Enterprise Defender)

4. Information Assurance Management (IAM)

IAM personnel oversee cybersecurity programs, manage IA operations, and ensure compliance with DoD policies. They have managerial, administrative, and oversight responsibilities.

IAM Level I

Typical Roles

• Security Manager (Entry-Level)
• Information Assurance Officer

Primary Responsibilities

• Local security program management
• User access oversight
• Basic compliance enforcement

Approved Baseline Certifications

• CAP (Certified Authorization Professional)
• GSLC (GIAC Security Leadership Certification)

IAM Level II

Typical Roles

• Mid-level Cybersecurity Manager
• Cyber Program Supervisor
• Information Systems Manager

Primary Responsibilities

• Oversight of organizational IA operations
• Vulnerability and risk management
• Policy implementation and monitoring

Approved Baseline Certifications

• CISM (Certified Information Security Manager)
• CISSP

IAM Level III

Typical Roles

• Senior Cybersecurity Manager
• Chief Information Security Officer (CISO)
• Enterprise Security Leader

Primary Responsibilities

• Enterprise-wide IA oversight
• Strategic policy development
• Resource planning and compliance assurance

Approved Baseline Certifications

• CISSP
• GSLC

5. Information Assurance System Architecture and Engineering (IASAE)

IASAE personnel focus on the design, engineering, and architecture of secure information systems. They ensure that DoD systems meet cybersecurity requirements throughout the lifecycle.

IASAE Level I, II, III

(These levels function as progressive technical roles, though the baseline certifications remain similar.)

Typical Roles

• Cybersecurity Architect
• Systems Security Engineer
• Enterprise Architect

Primary Responsibilities

• Architecture design
• System cybersecurity integration
• RMF control inheritance and mapping

Approved Baseline Certifications

• CISSP-ISSAP (Information Systems Security Architecture Professional)
• CISSP-ISSEP (Information Systems Security Engineering Professional)
• CSSLP (Certified Secure Software Lifecycle Professional)

These certifications demonstrate advanced engineering and architectural expertise.

6. Cybersecurity Service Provider (CSSP) Roles

6.1 Overview

The CSSP category supports defensive cyber operations (DCO) and security monitoring functions. CSSP personnel typically operate within Security Operations Centers (SOCs), incident response teams, and DoD cyber defense units.

CSSP roles include:

• CSSP Analyst
• CSSP Infrastructure Support
• CSSP Incident Responder
• CSSP Auditor
• CSSP Manager

Each role has distinct responsibilities and certification requirements.

6.2 CSSP Analyst

Responsibilities

• Monitoring networks
• Detecting cyber incidents
• Threat analysis

Approved Certifications

• CEH (Certified Ethical Hacker)
• CySA+
• GCIH

6.3 CSSP Infrastructure Support

Responsibilities

• Network defense support
• Infrastructure monitoring
• Tool configuration

Approved Certifications

• Security+
• CySA+
• GNFA

6.4 CSSP Incident Responder

Responsibilities

• Cyber incident identification
• Containment and eradication
• Forensic triage

Approved Certifications

• GCIH
• CEH
• GCFA

6.5 CSSP Auditor

Responsibilities

• Security review and assessments
• Compliance verification
• Risk and vulnerability audits

Approved Certifications

• CISA
• GSNA
• CEH

6.6 CSSP Manager

Responsibilities

• Supervising DCO operations
• Overseeing SOC performance
• Managing enterprise cyber defense

Approved Certifications

• CISSP
• CISM

7. Certification Timelines and Maintenance

Personnel assigned to 8570 roles must:

• Obtain the required certification prior to or within 6 months of assignment (depending on component policy).
• Maintain certification currency through CEUs, CPEs, or continuing education activities.
• Upload certification validation to the appropriate DoD workforce management system.

Failure to meet or maintain these requirements may result in removal from the role or loss of contract eligibility (for contractors).

8. Organizational Responsibilities

DoD components and contractors must ensure:

• Workforce alignment to the correct 8570 category
• Certification records are updated and auditable
• Personnel meet certification timelines
• Ongoing training and skill sustainment
• Full compliance with the DoD Cyber Workforce Framework (DCWF)

Contractors must ensure contract personnel meet certification requirements before beginning performance.

9. Summary

The DoD 8570 framework remains a cornerstone of the Department’s workforce qualification program and continues to guide personnel credentialing under the transition to 8140. By defining clear certification paths for IAT, IAM, IASAE, and CSSP roles, the DoD ensures a cyber workforce capable of securing and defending mission-critical systems.

Understanding and meeting 8570 requirements is essential for:

• DoD civilians
• Military personnel
• Defense contractors
• IT and cyber professionals supporting DoD networks

Compliance ensures readiness, enhances operational security, and enables organizations to meet federal cyber workforce mandates.